Auditing Docker Containers in a DevOps Environment

The handy auditd package can help track down weaknesses in your system before, during, or after an attack.

Thanks to the unremitting, ever-present threat of a multitude of attacks to which a Linux system can be subjected, it’s critical to capture important changes and events made by users and processes on your running systems.

Highlighting such changes could potentially point toward something as innocuous as a simple misconfiguration but, equally, might proactively help stop an impending attack dead in its tracks. Additionally, having trustworthy, detailed logging data is exceptionally useful for post-event forensic analysis, especially when you are trying to discern how an attacker originally managed to compromise your system and get a foothold.

One such package I have been using recently on a large AWS server estate is called auditd . Its man page states: “auditd is the userspace component to the Linux Auditing System.”